Category: Security

Bug researcher found himself deep in the US army network

US Army - Wikimedia CommonsA security bug researcher who was invited by the US Army to look for holes in the system found himself rather a little deeper into the network that he, or the army expected.

The US Army shared some surprising results from its first bug bounty programme — a three-week trial in which they invite 371 security researchers “trained in figuring out how to break into computer networks they’re not supposed to”.

The Army said the experiment was a success and it received more than 400 bug reports, 118 of which were unique and actionable.

Participants who found and reported unique bugs that were fixed were paid upwards of $100,000…

The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Défense website.

The researcher got in through an open proxy, meaning the routing wasn’t shut down the way it should have been. But the researcher, without even knowing it, could get to this internal network, because there was a vulnerability with the proxy, and with the actual system.

On its own, neither vulnerability was particularly interesting, but when you pair them together, it’s serious.

Dutch web developer back-doored his own websites

13.-Hacker-1-696x464A Dutch developer accessed the accounts of over 20,000 users after he collecting their login information via backdoors installed on the websites he built.

Inspector Knacker of the Dutch Yard said that he will be on the blower to the victims about the crook’s actions.

He was arrested on 11, 2016, in Zwolle, the Netherlands, and police proceeded to raid two houses the crook owned, in Leeuwarden and Sneek [surely sneak.ed].

Police say they received the first tips regarding the crook’s actions in November 2014, when a user complained about finding purchases someone else made on his behalf.

It looked like a cyber-fraud investigation but after two years of gathering data and expanding the investigation’s scope with the addition of digital forensics experts in the spring of 2016, realised what the crook was doing.

The 35-years-old suspect was hired to build e-commerce sites for various companies. After doing his job, the developer left backdoors in those websites, which he used to install various scripts that allowed him to collect information on the site’s users.

Police say that it’s impossible to determine the full breadth of his hacking campaign, but evidence found on his laptop revealed he gained access to over 20,000 email accounts.

The hacker used his access to these accounts to read people’s private email conversations, access their social media profiles, sign-up for gambling sites and access online shopping sites to make purchases for himself using the victim’s funds.

The suspect has been in jail since his arrest, and his pre-trial proceedings started last October.

 

Chelsea Manning has her sentence shortened

Chelsea_Manning_with_wigPresident Barack Obama has shortened the prison sentence of Chelsea Manning, the former US military intelligence analyst who was responsible for a 2010 leak of classified materials to anti-secrecy group WikiLeaks.

Manning has been a focus of a worldwide debate on government secrecy since she provided more than 700,000 documents, videos, diplomatic cables and battlefield accounts to WikiLeaks – a leak for which she was sentenced to serve 35 years in prison. Obama, in one of his final acts before leaving office, reduced her sentence to seven years.

Manning was working as an intelligence analyst in Baghdad in 2010 when she gave WikiLeaks a trove of diplomatic cables and battlefield accounts that included a 2007 gunsight video of a US Apache helicopter firing at suspected insurgents in Iraq, killing a dozen people including two Reuters news staff.

Manning was born male but revealed after being convicted of espionage that she identifies as a woman. The White House said her sentence would end on May 17 this year.

Prison has been tough on Manning who has tried to kill herself twice. Obama said that one of the reason that she has been pardoned is that she accepted responsibility for leaking the material.

The official said Obama’s decision was rooted in Manning’s sentence being longer than sentences given to others who had committed comparable crimes. Obama, who leaves office on Friday and is scheduled to give his final news conference on Wednesday, is expected to discuss his decision then.

The move has been welcomed by Amnesty International which has said that Chelsea Manning exposed serious abuses, and her own human rights have been violated by the US government for years.

The Republicans are furious claiming that Manning’s leaks had put US lives in danger. Of course that is not as dangerous as having a president who owes the Russians lots of money.

Apple sells out key ally to the Chinese

tim-cook-apple-ceoWhile the New York Times has faithfully acted as Apple’s unpaid press office and sacrificed its credibility as a technology source, it seems that the fruity-cargo cult has sold it out at the first opportunity.

Apple has removed the New York Times news apps from its app store in China following a request from the Chinese authorities.

It purged both the English-language and Chinese-language apps from the iTunes store in China just before Christmas.

The request comes as the Cyberspace Administration of China (CAC), the country’s top internet regulatory body, has called for greater media scrutiny, citing fears of social disorder, moral harm and threats to national security.

New York Times spokeswoman Eileen Murphy told Reuters that the request by the Chinese authorities to remove our apps is part of their wider attempt to prevent readers in China from accessing independent news coverage by The New York Times of that country.

It has asked Apple to reconsider its decision, after all Apple owes it more than a few favours. Apple claims that the app is in violation of local regulations, so  it does not matter how many glowing reviews the paper writes on the iPhone 7 it is not going to get into China.

The Chinese government has blocked The Times’ websites since 2012 when it actually did it job and ran a series of articles on the wealth amassed by the family of Wen Jiabao, who was then prime minister.

Ironically apps from CNN, The Wall Street Journal and the Financial Times, were still available in the app store.

 

US senators investigate Russian hacking

russian-villagersWhile Donald (Prince of Orange) Trump is denying his chum Tsar Vladimir Putin unleashed his team of hackers to help him win the election, senior U.S. intelligence officials will testify in Congress on Thursday on Russia’s alleged cyber-attacks during the 2016 election campaign.

Trump has not been briefed on the hacks yet, but that has not stopped him denying they took place.  He is apparently going to receive details on the DMC hack today.

He is already heading for a spat with Democrats and fellow Republicans in Congress, many of whom don’t like Putin and distrust Trump’s praise of the chap.

Director of National Intelligence James Clapper, National Security Agency Director Mike Rogers and Undersecretary of Defense for Intelligence Marcel Lettre are expected to appear before the Senate Armed Services Committee, which is chaired by Republican John McCain, a vocal critic of Putin.

Their testimony on cyber threats facing the United States will come a week after President Barack Obama ordered the expulsion of 35 Russian suspected spies and imposed sanctions on two Russian intelligence agencies over their alleged involvement in hacking U.S. political groups in the 2016 election.

US intelligence agencies say Russia was behind hacks into Democratic Party organizations and operatives before the presidential election, a conclusion supported by several private cybersecurity firms. Moscow denies it.

US intelligence officials have also said the Russian cyber-attacks aimed to help Trump defeat Democrat Hillary Clinton. Several Republicans acknowledge Russian hacking during the election but have not linked it to an effort to help Trump win.

Documents stolen from the Democratic National Committee and John Podesta, Clinton’s campaign manager, were leaked to the media in advance of the election, embarrassing the Clinton campaign.

Trump and top advisers believe Democrats are trying to delegitimize his election victory by accusing Russian authorities of helping him.

However, he has not helped his case by nominating Moscow-friendly types to senior administration posts, including secretary of state nominee Rex Tillerson, who while Exxon Mobil chief executive, was awarded the Order of Friendship, a Russian state honour, by Putin in 2013.

The Senate Foreign Relations Committee will also hold a closed-door hearing today to look at Russia’s alleged hacking and harassment of US diplomats.

 

Clothing range can tigger image recognition

711A range of rather interesting fashion clothing could be used by those who want to stuff up CCTV facial recognition systems.

Designed by the hyperface project involves printing patterns on to clothing or textiles that computers think is a face, in fightback against spying technology

German artist and technologist Adam Harvey aims to confuse these facial recognition systems by presenting them with shed-loads of false hits so they can’t tell which one is the real McCoy.

Patterns are printed onto clothing so that the computer sees them as eyes, mouths and other features that a computer can interpret as a face.

Speaking at the Chaos Communications Congress hacking conference in Hamburg, Harvey said: “You can change the way you appear, but, in camouflage you can think of the figure and the ground relationship. There’s also an opportunity to modify the ‘ground’, the things that appear next to you, around you, and that can also modify the computer vision confidence score.”

His method involves “overloading an algorithm with what it wants, over-saturating an area with faces to divert the gaze of the computer vision algorithm.”

 

Snowden knows that Trump was given a hand by Putin

NSA whistleblower Edward Snowden, an analyst with a U.S. defence contractor, is pictured during an interview with the Guardian in his hotel room in Hong KongWhile the FBI, CIA and President Barack Obama all agree that Russia hacked the DNC and asserted its will on the US presidential election they seem to be having difficulty convincing the world.

If you post news about the hack anywhere online you will normally get otherwise sane people parroting the mantra that “there is no proof.”

So far most of the proof has come from private security companies who normally would be accepted without question, but for some reason no one is believing them this time. Official comments from the spooks are short on anything that people call proof.

Donald (Prince of Orange) Trump has done his best to claim that it was not his good chum President Putin. He claims that hacking is hard to prove.
Only it really isn’t. According to a new document leaked by Edward Snowden, the NSA has successfully traced a hack back to Russian intelligence at least once before.

A classified excerpt from page from the NSA’s internal wiki shows that the NSA once verified that Russian journalist Anna Politkovskaya’s email account had been targeted by Russian Federal Intelligence Services a year before her 2006 murder.

The information is classified as “Top Secret Signals Intelligence” which means that the NSA knows Politkovskaya’s email was hacked by Russian operatives because they were able to trace the hack back to Russian intelligence.

The entry itself doesn’t specifically say how this trace was accomplished or provide the evidence — but the existence of the entry shows that the NSA is wholly capable of tracing such hacks back to their source.

While it does not prove that the Russia gamed the US election, it shows that the US intelligence agencies can gather the proof. It also shows that when the proof is found it is classified. The US does not want to risk showing its hand to foreign operators.

This would lead to a strange situation where President Obama, all the spooks and the White House dog all know that Russia gamed the election and can take action against Russia, but the rest of the world will not know why.

When Trump takes office in a couple of weeks he will know too, but it is unlikely he will say anything. After all he owes Putin’s Oligarch mates rather a lot of money.

Hackers rule the airline booking systems

the-great-air-robbery-movie-poster-1919-1020417131Insecurity experts working for German security outfit Security Research Labs has found that hackers appear to have the power to upgrade themselves to flying business class.

Writing in their company bog Karsten Noh and Nemanja Nikodijevic said that airline booking systems were designed back in the 1960s and have not been updated—that means that both airlines and the customers who use their services are extremely vulnerable to hackers wishing to gain access.

The main problem is that the Global Distribution System (GDS) used by the airlines is based on a restricted access code, a six-character Passenger Name Record (PNR), which customers are given when they purchase a ticket—it is also printed on all of their luggage.

The restricted part of the code means that the number and types of characters that can be used must fall within a predetermined range—that makes it easier for hackers using computers to run through all the possibilities. Since the customer’s last name is associated with the PNR, hackers can simply type in a common name, such as Smith, and then have the computer run through all the GDS character possibilities until a hit is found, allowing access to that person’s flight record.

This allows the hackers to change information on a flight record, which they  demonstrated by reassigning a reporter to a seat next to a politician on a real flight.

The weakness means that a hacker could tie their frequent flyer number to a host of other flights and giving themselves credit for thousands of miles.

The researchers also reported that they have notified the makers of the three main GDS systems of their findings and expect that some of the holes in the systems will be fixed soon, while others may require a full rewrite, obviously taking a lot longer.

Android bugs hard to shift from tellies

bugFor a while now security experts have feared that android viruses will find their way into smart tellies and now this is starting to happen quirks in the telly industry appear to be preventing the viruses being fixed.

Software engineer Darren Cauthon found that one of his family members had an LG smart TV infected with ransomware on Christmas day. However, when he rang LG for help, the outfit told him he would have to take the telly into the shop to be fixed.

Based on a screenshot Cauthon posted online, the smart TV was infected with the Cyber. Police ransomware, also known as FLocker, Frantic Locker, or Dogspectus.

The infected TV is one of the last generations of LG smart TVs that ran Google TV, a smart TV platform developed by Google together with Intel, Sony, and Logitech. Google TV launched in 2010, but Google discontinued the project in June 2014.

LG really can’t be bothered with Google TV, and the company’s TVs now run WebOS.

When Cauthon tried to reset the TV to factory settings, the reset procedure available online didn’t work.

When the software engineer contacted LG, the company told him to visit one of their service centres, where one of its employees could reset his TV.

Czech form police fake news unit to defend against Putin

putin-buzz1The Czech Republic is setting up a new counter-terrorism unit to combat the rise of fake news or “foreign disinformation campaigns.”

Dubbed the “The Center Against Terrorism and Hybrid Threats” the unit will start operations on January 1.

Apparently the new center will monitor internal security threats, including attacks on soft targets and extremism, as well as “disinformation campaigns related to internal security.”

Czech spooks have been allowed that the Russians have been running disinformation and cyber-espionage activities against the Czech Republic, European Union and NATO. The Czech Republic is due to hold a general election next year and it is a bit worried that Tsar Putin will attempt to put his favour candidate in power – in much the same way as he did in the US elections.

According to the Czech Security Information Service (BIS) annual report, Russia in 2015 used “influence and information operations” to try to manipulate public opinion in the Czech Republic in relation to Syria and Ukraine. Russia is involved in conflicts in both these countries.

The report claimed that Russia’s hybrid warfare operations included “weakening the strength of Czech media” through “covert infiltration of Czech media and the Internet, massive production of Russian propaganda and disinformation controlled by the state.”

Russian operations included founding puppet organizations, the “covert and open support of populist or extremist subjects,” and “disrupting the coherence and readiness of NATO and the EU.”

“The above-mentioned activities pose a threat to the Czech Republic, EU and NATO not only in relation to the Ukrainian and Syrian conflicts. “The infrastructure created for achieving these goals will not disappear with the end of the two conflicts. It can be used to destabilise or manipulate Czech society or political environment at any time, if Russia wishes to do so.”

According to the Czech interior ministry, its new unit won’t be interrogating anyone, censoring online content or bringing legal proceedings, nor will it “have a button for ‘switching off the internet.'” But it will monitor threats, inform the public about “serious cases of disinformation” and promote internal security expertise.